A recent cybersecurity discovery has unveiled a resurgence of the ZLoader malware, nearly two years after the disruption of its botnet infrastructure in April 2022. Threat hunters identified a novel campaign delivering this malware, featuring a new variant that has been in development since September 2023.
According to researchers, the latest version of ZLoader introduces significant changes to its loader module, incorporating RSA encryption, updating the domain generation algorithm, and now offering compatibility with 64-bit Windows operating systems for the first time.
Originally stemming from the Zeus banking trojan in 2015, ZLoader, also known as Terdot, DELoader, or Silent Night, evolved into a loader for subsequent payloads, including ransomware. Its distribution typically involves phishing emails and malicious search engine ads.
Previously dealt a blow by a consortium of companies, led by Microsoft’s Digital Crimes Unit (DCU), which seized control of 65 domains used for communication with infected hosts, ZLoader’s new versions, labeled as 2.1.6.0 and 2.1.7.0, incorporate defensive measures such as junk code and string obfuscation to thwart analysis efforts. Moreover, each ZLoader artifact requires a specific filename for execution on compromised hosts, potentially evading malware sandboxes that rename sample files.
The malware employs RC4 encryption with a hardcoded alphanumeric key to encrypt the static configuration, concealing campaign-related information and command-and-control (C2) server details. Additionally, it utilizes an updated version of the domain generation algorithm as a fallback in case primary C2 servers become inaccessible, a tactic first identified in ZLoader version 1.1.22.0 in March 2020 phishing campaigns.
Despite a temporary halt in ZLoader’s activity due to the operational takedown, the threat group behind it remains active, and the malware’s resurgence raises concerns about potential new ransomware attacks, according to the researchers.
This discovery aligns with the researcher warning of an uptick in campaigns leveraging MSIX files to deliver malware, including ZLoader, prompting Microsoft to disable the protocol handler by default in late December 2023. Moreover, the cybersecurity landscape has witnessed the emergence of new stealer malware families like Rage Stealer and Monster Stealer, serving as initial access points for information theft and launching more severe cyber attacks.
Defending against the new ZLoader malware variant requires a multi-faceted approach. Regularly updating antivirus and anti-malware software is essential, as these tools can identify and neutralize known threats. Implementing intrusion detection and prevention systems enhances the ability to detect malicious activities in real-time. Additionally, considering network segmentation and access controls can limit the impact of a potential ZLoader infection.